(Microsoft Word

范明忠 fjufirefox@gmail.
com fan,bill Mandriva Coldfusion
1. 目的...........................................................................................4
2. 實作項目 ..................................................................................4
3. 實作架構設計 ..........................................................................4
3.1 構想 ................................................................................................................. 4
3.2 實際作業 .......................................................................................................... 4
3.3 認證方式 ......................................................................................................... 8
4. 實作需求 ..................................................................................8
4.1 Samba 與 Windows 整合方針 ......................................................................... 8
4.2 環境建立流程 ................................................................................................. 8
4.2.1 LDAP 設定............................................................................................. 9

(1) /etc/openldap/slapd.conf ................................................................... 9
(2) /etc/openldap/slapd.access.conf ........................................................ 11
(3) /etc/openldap/ldap.conf ..................................................................... 13
(4) /etc/ldap.conf..................................................................................... 14
(5) 使用 drakauth................................................................................... 15
4.2.2 建立 CA............................................................................................... 15
(1) 建立 rootCA ................................................................................... 15
(2) 建立 openldap 憑証申請書 ............................................................. 17
(3) rootCA 簽章 openldap 憑証 ............................................................. 18
(4) copy 產生的憑証到/etc/ssl/.............................................................. 19
1/89
范明忠 fjufirefox@gmail.com fan,bill Mandriva Coldfusion
(5) 驗証憑証是否可用.......................................................................... 19
4.2.3（防火牆+代理伺服器 + DHCPD）設定.......................................... 19
(1) 修改/etc/squid/squid.conf............................................................... 22
(2) 建立/var/spool/squid........................................................................ 23
(3) 修改/etc/pam.d/squid ....................................................................... 23
(4) 設定/etc/dhcpd.conf......................................................................... 24
(5) 防火牆設定...................................................................................... 24
4.2.4 SAMBA 設定 ....................................................................................... 24

(1) /etc/samba/smb.conf ....................................................................... 30
(2) Smbpasswd –w password -> /etc/samba/secrets.tdb ........................ 33
(3) /etc/smbldap-tools/smbldap_bind.conf ............................................. 33
(4) /etc/smbldap-tools/smbldap.conf ...................................................... 34
4.2.5 BIND 設定............................................................................................ 34
(1) /etc/named.conf............................................................................... 38
(2) /etc/rndc.conf..................................................................................... 42
(3) /var/named/........................................................................................ 43
(4) /var/named/logging.conf ................................................................... 45
(5) /var/named/bogon_acl.conf............................................................... 46
(6) 使用 view 的概念............................................................................ 49
4.2.6 後續處理 ............................................................................................. 49
(i)建立 ntlogon.bat ................................................................................. 54
(ii) 確保漫遊檔案可以成功 ................................................................. 55
(iii) 執行 smbldap-populate -a root ....................................................... 55

2/89
(iv) 更新 SID ...................................................................................... 56
(v) 轉移帳號.......................................................................................... 56
(vi) 特別注意事項................................................................................. 56
(vii) 建立 lam 系統 ............................................................................... 57
(viii) 建立使用者 .................................................................................. 59
(ix) 加入網域......................................................................................... 59
(x) 使用登入.......................................................................................... 62
(xi) 確認完成寫出................................................................................. 63
(xii) 使用安全隧道連至 samba 伺服器 ............錯誤

錯誤!
錯誤尚未定義書籤。
尚未定義書籤。
(xiii) 建立 CA 的流程........................................................................... 67
5. 管理 ........................................................................................67
5.1 samba 管理 ..................................................................................................... 71
5.2 samba 防毒 ..................................................................................................... 83
6. 改進與建議心得.....................................................................88
3/89
1. 目的
利用 openldap 與 samba 整合取代 win2k/win2k3 ad 或 pdc，並有效的降低 TCO。Openldap 與
samba 結合執行速度遠高於 win2k/win2k3 ad，並且可以與 linux 中個項服務整個結合如 squid
等。
而在導入 samba 之後 samba 可以作為 NT 網域的 PDC，並使用 LDAP 目錄服務作 NT 網域的

統一用戶管理。
2. 實作項目
(1) Samba 與 Windows 整合
a. 檔案與目錄權限支援 ACL 控管
b. 使用者環境整合：使用者設定檔，家目錄
c. SSO（Single Sign-On）支援：PAM，Winbind
(2) PROXY 驗證
3. 實作架構設計
3.1 構想
Samba 與 Windows 合作模式一般分為三類

(1) 第一類：Server Level
4/89
5/89
(2) 第二類：Domain Level
(3) 第三類：ADS Level
6/89
註解 [fan1]: 若 Samba 用於
Windows 客戶端對
功能 WinNT Win2k/ADS Linux/OpenLDAP

OpenLDAP OpenLDAP 相關的認證，NT
區域網路管理者協定則用於
客戶端不需額外軟體 X X X
Windows 客戶端與 Samba 伺
實作階層式目錄架構的可能性 X X
服器間的認證。
增加自有屬性與物件類別的擴充性 X X
註解 [fan2]: 若 Samba 用於
目錄資料的字符集 Unicode Unicode Unicode Windows 客戶端對
透過標準協定（LDAP）存取目錄的可 X X OpenLDAP 相關的認證，NT
能性區域網路管理者協定則用於
透過 SSL/TLS 由 LDAP 安全存取 X X Windows 客戶端與 Samba 伺
服器間的認證。
支援「starttls」協定 X X
註解 [fan3]: Kerberos 已穩固
支援 SASL X
地整合到主動式目錄中。
NT 客戶端認證 X X 透過 Samba（註 1）
註解 [fan4]: 雖然主動式目
W2K 客戶端認證 X X 透過 Samba（註 2）
錄可對外部相關的 Kerberos
Linux 客戶端認證透過透過 winbind 或 X 伺服器作認證，但接著主動式
winbind LDAP 目錄網域會再也不能用來對
整合 Kerberos 的可能性 X（註 3） X 以 Windows 95/98/Me/NT 為
基礎的電腦作認證。
使用獨立/高階 Kerberos 服務的可能性 X（註 4） X
註解 [fan5]: 主動式目錄在
對屬性和物件管理存取權限（ACLs） X X
「混合模式」中的 Windows
委派管理任務 X X
2000 DC 和 Windows NT 4
BDC 之間採用主從複製。
註解 [fan6]: 主動式目錄在
「原生模式」下使用多重主控
主從複製 X X（註 5） X
站複製（其中 Windows
多重主控站複製 X（註 6） X（註 7） 2000/2003 式網域獨佔地使
表格 1 NTDS、主動式目錄和 OpenLDAP 功能的一般性比較用）
。
註解 [fan7]: 多重主控站複
製在 OpenLDAP 上被認為是
3.2 實際作業實驗性的，且預設為未啟動。
7/89
3.3 認證方式
(1) ldap->pam
(2) pam->ldap
4. 實作需求
實作需求
4.1 Samba 與 Windows 整合方針
(1) 網路瀏覽與 NetBIOS 功能需求
(2) Samba 安全等級與密碼加密需求
(3) 整合 Windows ACL 與 DFS 需求
(4) 列印支援 Auto Driver Installation 需求
(5) NT Domain 與 Windows 200x Domain 需求
8/89
4.2 環境建立流程
4.2.1 LDAP 設定
(1) /etc/openldap/slapd.conf
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/corba.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/java.schema
include /usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include /usr/share/openldap/schema/misc.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/openldap.schema
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema
include /etc/openldap/schema/local.schema
# Provide write access to replicators, and cover access to any other

# attributes (default anonymous read access may be undesirable)
access to dn.subtree="dc=homeland,dc=net"
by group="cn=Replicator,ou=Groups,dc=homeland,dc=net"
by users read
by anonymous read
pidfile /var/run/ldap/slapd.pid
9/89
argsfile /var/run/ldap/slapd.args
modulepath /usr/lib/openldap
# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem

# and uncomment the following lines.
TLSCipherSuite HIGH:MEDIUM:+SSLv2:+SSLv3
TLSCertificateFile /etc/ssl/openldap/newcert.pem
TLSCertificateKeyFile /etc/ssl/openldap/newreq.pem
TLSCACertificateFile /etc/ssl/cacert.pem
TLSVerifyClient try
# logging
loglevel 256
##############################################################
# database definitions
##############################################################
database bdb
suffix "dc=homeland,dc=net"
rootdn "uid=root,ou=Users,dc=homeland,dc=net"
rootpw {SSHA}
# The database directory MUST exist prior to running slapd AND

# should only be accessable by the slapd/tools. Mode 700 recommended.
directory /var/lib/ldap
# Checkpoint the bdb database after 256kb of writes or 5 minutes have passed
# since the last checkpoint
checkpoint 256 5
# Indices to maintain
index objectClass,uid,uidNumber,gidNumber,memberuid eq
index cn,mail,surname,givenname eq,subinitial
# samba searches on sid
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
10/89
# Basic ACL (deprecated in favour of ACLs in etc/openldap/slapd.access.conf)

access to attr=userPassword
by self write
by anonymous auth
by dn="uid=root,ou=Users,dc=homeland,dc=net" write
by * none
access to *
by dn="uid=root,ou=Users,dc=homeland,dc=net" write
by * read
access to *
by group="cn=Replicator,ou=Groups,dc=homeland,dc=net" write
by * read
# Replica configuration (if this server is a slave)

#updatedn "cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com"
#updateref "ldap://ldap-master.example.com"
# Replication configuration (if this server is a master)

#replica host=ldap-slave1.example.com:389
# binddn="cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com"
# bindmethod=simple credentials="mypassword"
(2) /etc/openldap/slapd.access.conf
# The root DIT should be accessible to all clients

access to dn.exact=""
by * read
# So should the schema

access to dn.subtree="cn=Subschema"
by * read
11/89
access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=sambaLMPassword,sambaNTPassword,userPassword,sambaPasswordHistory,sambaPwdLast
Set
by self write
by dn.exact,expand="uid=root,ou=Users,$2" write
by group.expand="cn=Domain Controllers,ou=Groups,$2" write
by group.expand=“cn=Replicator,ou=Groups,$2” write
by anonymous auth
by * none
# ACL allowing samba domain controllers to add user accounts

access to dn.regex="^([^,]+,)?ou=Users,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,posixAccount,sambaSamAccount
by users read
by anonymous read
# allow users to modify their own "address book" entries:

access to dn.regex="([^,]+,)?ou=Users,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=inetOrgPerson,mail
by self write
by users read
by anonymous read
# Allow samba domain controllers to create groups and group mappings

access to dn.regex="^([^,]+,)?ou=Groups,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,posixGroup,sambaGroupMapping
by users read
12/89
by anonymous read
# Allow samba domain controllers to create machine accounts

access to dn.regex="^([^,]+,)?ou=Computers,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,posixAccount,inetOrgperson,sambaSamAccount
by users read
by anonymous read
# Allow samba to create idmap entries

access to dn.regex="^([^,]+,)?ou=Idmap,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=entry,children,sambaIdmapEntry
by users read
by anonymous read
# Allow users in the domain to add entries to the "global address book":
# For use with Evolution, the attrs list could be modified to be:
# attrs=children,entry,inetOrgPerson,evolutionperson,calEntry
# if evolutionperson.schema and calendar.schema are available
access to dn.regex="^([^,]+,)?ou=Contacts,(dc=[^,]+(,dc=[^,]+)*)$"
attrs=children,entry,inetOrgPerson
by dn.sub,expand="ou=Users,$2" write
by users read
by anonymous read
(3) /etc/openldap/ldap.conf
URI ldap://127.0.0.1
BASE dc=homeland,dc=net
HOST 127.0.0.1
TLS_CACERT /etc/ssl/cacert.pem
13/89
TLS_REQCERT try
(4) /etc/ldap.conf
# Your LDAP server. Must be resolvable without using LDAP.

host 127.0.0.1
# The distinguished name of the search base.

base dc=homeland,dc=net
# Another way to specify your LDAP server is to provide an

# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://127.0.0.1
# The LDAP version to use (defaults to 3

# if supported by client library)
ldap_version 3
# The search scope.

scope one
# Filter to AND with uid=%s

pam_filter objectclass=posixaccount
# The user ID attribute (defaults to uid)

pam_login_attribute uid
# Group member attribute

pam_member_attribute gid
# Use the OpenLDAP password change

# extended operation to update the password.
pam_password crypt
nss_base_passwd ou=Users,dc=homeland,dc=net?sub
nss_base_shadow ou=Users,dc=homeland,dc=net?sub
14/89
nss_base_group ou=Groups,dc=homeland,dc=net?sub
nss_base_hosts ou=Computers,dc=homeland,dc=net?sub
# OpenLDAP SSL mechanism

# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# OpenLDAP SSL options

# Require and verify server certificate (yes/no)
tls_checkpeer yes
# CA certificates for server certificate verification

# At least one of these are required if tls_checkpeer is "yes"
tls_cacertfile /etc/ssl/cacert.pem
# Client sertificate and key

# Use these, if your server requires client authentication.
tls_cert /etc/ssl/openldap/newcert.pem
tls_key /etc/ssl/openldap/newreq.pem
(5) 使用 drakauth
Dn=Dc=homeland,dc=net
Host=127.0.0.1
既可改變認證架構
4.2.2 建立 CA
(1) 建立 rootCA
$ /usr/lib/ssl/misc/CA.pl -newca
CA certificate filename (or enter to create)
15/89
Making CA certificate ...

Generating a 1024 bit RSA private key
.................................++++++
....................................++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase: (輸入一個密碼，以後簽署證書時都要使用這個密碼)
Verifying - Enter PEM pass phrase: (再次輸入上面輸入的密碼作確認)
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TW
TW (國家編碼)
Taiwan (州或省份)
State or Province Name (full name) [Some-State]:Taiwan
Locality Name (eg, city) []:Taipei
Taipei
Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA
CA Servies
Organizational Unit Name (eg, section) []:rootCA
rootCA
Common Name (eg, YOUR name) []: homeland.net
homeland.net (CA 名字)
Email Address []:root@homeland.net
root@homeland.net (聯絡電郵)
看到
./demoCA/crl 電子證書撤銷列表 (Certificate Revocation List)
./demoCA/newcerts 備份所有經這個 CA 簽署過的電子證書
./demoCA/private CA 的私有區，存放了不可以外洩的資料，例如私鑰
./demoCA/private/cakey.pem CA 的私鑰
./demoCA/index.txt
./demoCA/cacert.pem CA 的證書
./demoCA/serial
16/89
./demoCA/certs
(2) 建立 openldap 憑証申請書
再來產生給 openldap 等 server 要用的憑証申請書(certificate signing request)

% openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem

............++++++
..........................++++++
writing new private key to 'newreq.pem'
-----
-----
Locality Name (eg, city) []:Taiwan
17/89
Organization Name (eg, company) [Internet Widgits Pty Ltd]:homeland Ltd

Organizational Unit Name (eg, section) []:homeland
Common Name (eg, YOUR name) []:homeland.net
Email Address []:root@homeland.net
Please enter the following 'extra' attributes

to be sent with your certificate request
A challenge password []:
An optional company name []:
上面的密碼請用空白啦，以免每次連線都要打密碼。
(3) rootCA 簽章 openldap 憑証
用剛產生的 rootCA 來驗証這個要給 openldap 用的 CSR 囉

% ./CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf

9310:error:0E06D06C:configuration file routines:NCONF_get_string:no value:/usr/s
rc/secure/lib/libcrypto/../../../crypto/openssl/crypto/conf/conf_lib.c:329:group
=CA_default name=unique_subject
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 30 07:46:18 2004 GMT
Not After : Sep 30 07:46:18 2005 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taipei
organizationName = homeland Ltd
organizationalUnitName = homeland
commonName = homeland.net
emailAddress = root@homeland.net
18/89
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
2F:33:E4:E2:24:2E:29:87:C2:AA 5:FC:76:A6:5F:06:69:78:E9:90
X509v3 Authority Key Identifier:
keyid:74:B5:A3:12:4A:9E:4D:F2 1 1:00:AF:F3:26 B:3F:9A A:7C:10
DirName:/C=TW/ST=Taiwan/L=Taipei/O=CA
Servies/OU=rootCA/CN=homeland.net/emailAddress=root@homeland.net
serial:00
Certificate is to be certified until Sep 30 07:46:18 2005 GMT (365 days)

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
(4) copy 產生的憑証到/etc/ssl/
之後把剛做出來的幾個檔 copy 到適當的位置(/etc/ssl 之下)

% mv demoCA/cacert.pem /etc/ssl/cacert.pem
% mv newcert.pem /etc/ssl/openldap/newcert.pem
% mv newreq.pem /etc/ssl/openldap/newcert.pem
(5) 驗証憑証是否可用
(1)OpenSSL Output Using Server Side SSL

% openssl s_client -connect localhost:636 -showcerts -state -CAfile
/etc/ssl/cacert.pem
---
19/89
Server certificate
subject=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
Unit/CN=homeland.net/emailAddress=root@homeland.net
issuer=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
---
Acceptable client certificate CA names
/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
---
SSL handshake has read 2083 bytes and written 742 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
B1852092DAB765492123E237D9473E88E1EA0A0907C8BBA092650329E46F22E9
Session-ID-ctx:
Master-Key:
36A166C427DB3BCB108FA56C57C4CB8323C38E41D3BFDA44BA58B8CCB92DF30977DE9B
21D58D70360937993936C8D22F
Key-Arg : None
Start Time: 1137034912
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
20/89
(2)OpenSSL Output Using Client Authentication

% openssl s_client -connect localhost:636 -state -CAfile /etc/ssl/cacert.pem -cert
/etc/ssl/openldap/newcert.pem -key /etc/ssl/openldap/newreq.pem
subject=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
issuer=/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
---
Acceptable client certificate CA names
/C=TW/ST=Taiwan/L=Taipei/O=Homeland Org/OU=Homeland
---
SSL handshake has read 2083 bytes and written 3024 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
101B8D9741E8ADF5FB4E0C1A1132B1B287BEF52D9AE980D6D20C7C155856326F
Session-ID-ctx:
Master-Key:
400DE182749158EB0A0EFF3DE8E4319257844F98F0FB31FB06D7E1C6C3EF1F572B9DA9D3
34701079C345CDCE71DD5F61
Key-Arg : None
Start Time: 1137035176
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
（防火牆+代理伺服器
4.2.3（防火牆代理伺服器 + DHCPD）
）設定
21/89
(1) 修改/etc/squid/squid.conf
http_port 3128
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_dir diskd /var/spool/squid 9600 16 256
cache_store_log none
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow manager localhost
http_access allow password
http_access deny manager
22/89
http_access deny !Safe_ports

http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl mynetwork src 192.168.0.0/255.255.255.0
http_access allow mynetwork
http_access allow localhost
http_reply_access allow all
icp_access allow all
visible_hostname myfirewall@mydomain.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
append_domain .homeland.net
err_html_text admin@mydomain.com
deny_info ERR_CUSTOM_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on
(2) 建立/var/spool/squid
建立/var/spool/squid
Squid –z 就完成建立
(3) 修改/etc/pam.d/squid
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
23/89
(4) 設定/etc/dhcpd.conf
authoritative;
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
# default gateway
option routers 192.168.0.1;
option subnet-mask 255.255.255.0;
option domain-name "homeland.net";
option domain-name-servers 192.168.0.1;
# Seting up an ip address is better here

#option domain-name-servers ns.domain.org;
#option nis-domain "homeland.net";
range dynamic-bootp 192.168.0.128 192.168.0.254;

default-lease-time 21600;
max-lease-time 43200;
host fjufirefox {
hardware ethernet 00:13:D4:33:73:50;
fixed-address 192.168.0.123;
}
# we want the nameserver to appear at a fixed address
# host ns {
# next-server fixed.mandrakesoft.com;
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 192.168.0.10;
# }
}
(5) 防火牆設定
說明
Eth0->對外 192.168.1.1
24/89
Eth1->對內 192.168.0.1
使用 iptables 與 shorewall 配合
修改部份為/etc/shorewall 下所有設定檔
注意到 shorewal 使用 shorewall-3.0.3-1mdk
1. vi shorewall.conf
STARTUP_ENABLED=Yes
2. vi zone
fw firewall
net ipv4
loc ipv4
3. vi masq
eth0 eth1
4. vi interfaces
net eth0 detect dhcp,tcpflags,routefilter,nosmurfs,logmartians
loc eth1 detect dhcp,tcpflags,detectnets,nosmurfs
5. vi policy
loc net ACCEPT
$FW net ACCEPT
net all DROP info
all all REJECT info
6. vi rules
Web/ACCEPT net $FW
Web/ACCEPT loc $FW
SSH/ACCEPT net $FW

SSH/ACCEPT loc $FW
SMB/ACCEPT $FW net

SMB/ACCEPT net $FW
SMB/ACCEPT $FW loc
25/89
SMB/ACCEPT loc $FW
LDAP/ACCEPT net $FW

LDAP/ACCEPT loc $FW
DNS/ACCEPT $FW net

DNS/ACCEPT loc $FW
Ping/ACCEPT loc $FW
ACCEPT $FW loc icmp

ACCEPT $FW net icmp
REDIRECT loc 3128 tcp www -

ACCEPT $FW net tcp www
(6)squid-clamav 防毒方案
1. 下載 squidclam-0.11-1mdk.src.rpm
2. rpm –rebuild squidclam-0.11-1mdk.src.rpm 編譯，會產生於

/usr/src/RPM/RPMS/i586/squidclam-0.11-1mdk.i586.rpm
3. 安裝 squidclam-0.11-1mdk.i586.rpm
urpmi squidclam-0.11-1mdk.i586.rpm
4. 設定檔 /etc/squidclam.conf 內容不要修改，內容如下
proxy=http://127.0.0.1:3128
url=http://127.0.0.1/antivir.php
tmp=/tmpdata/squidclam-XXXXXXXX
rldb=200
fsize=202400
5. 修改 /etc/fstab 加入下面一行，然後掛載
tmpfs /tmpdata tmpfs rw,noexec 0 0
26/89
mkdir /tmpdata
mount /tmpdata
chown squid.squid /tmpdata
6. 確認是否掛載成功
Df (英文小寫)
要有下面此行字，才算成功
tmpfs 157M 0 157M 0% /tmpdata
27/89
7. 修改 /etc/squid/squid.conf
黃底紅色為新加入的部份
hierarchy_stoplist cgi-bin ?
icp_port 0
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
redirect_program /usr/sbin/squidclam
redirect_children 15
cache_dir diskd /cache/01 3500 22 256
cache_store_log none
auth_param basic program /usr/lib/squid/pam_auth
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
refresh_pattern \.gif$ 10080 100% 43200 override-expire
refresh_pattern \.jpg$ 10080 100% 43200 override-expire
refresh_pattern . 960 90% 43200 reload-into-ims
half_closed_clients off
acl all src 0.0.0.0/0.0.0.0
acl password proxy_auth REQUIRED
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
28/89
acl Safe_ports port 488 # gss-http

acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl purge method PURGE
acl CONNECT method CONNECT
redirector_access deny SSL_ports
redirector_access deny localhost
http_access allow manager localhost
http_access allow password
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access deny to_localhost
acl mynetwork src 192.168.0.0/255.255.255.0
http_access allow mynetwork
http_access allow localhost
http_reply_access allow all
icp_access allow all
forwarded_for off
visible_hostname myfirewall@mydomain.com
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
append_domain .homeland.net
err_html_text admin@mydomain.com
deny_info ERR_CUSTOM_ACCESS_DENIED all
memory_pools off
coredump_dir /var/spool/squid
ie_refresh on
8. 確認是否運作
Squid –k reconfigure (會停一下，是正常現象)
Tail /var/log/message 有下面一行字就表示開始運作

Jan 23 08:47:13 mail squidclam[20439]: squidclam starting up now. reload after 350 URLs
29/89
Ls –lsa /tmpdata
有下面的資料表示成功。
0 -rw------- 1 squid squid 0 Jan 23 08:46 squidclam-XX0yszPp

0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX2H3o7f
0 -rw------- 1 squid squid 0 Jan 23 08:46 squidclam-XX5rKEqi
0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX5VxJ0W
0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX6c30PG
0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX6iNCm6
0 -rw------- 1 squid squid 0 Jan 23 08:47 squidclam-XX8QJybF
0 -rw------- 1 squid squid 0 Jan 23 08:46 squidclam-XXA1joVc
4.2.4 SAMBA 設定
(1) /etc/samba/smb.conf
建立完成要驗證 Testparm –t /etc/smb.conf 有錯誤就要更改才可以
# Global parameters
[global]
dos charset = CP950
unix charset = CP950
display charset = CP950
workgroup = WORKGROUP
netbios name = SAMBA3PDC
server string = Samba Server %v
interfaces = eth0, eth1, lo
bind interfaces only = Yes
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
enable privileges = Yes
username map = /etc/samba/smbusers
syslog = 0
log file = /var/log/samba/log.%m
30/89
max log size = 100000

time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap cache time = 60
printcap name = cups
add user script = /usr/sbin/smbldap-useradd -m '%u'
add group script = /usr/sbin/smbldap-groupadd '%g' && /usr/sbin/smbldap-groupshow
%g|awk '/^gidNumber:/ {print $2}'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -c 'Machine Account' -s
/bin/false '%u'
logon script = ntlogon.bat
logon path = \\%L\Profiles\%U
logon drive = M:
logon home = \\%L\%U
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
dns proxy = No
wins proxy = Yes
wins support = Yes
ldap admin dn = uid=root,ou=Users,dc=homeland,dc=net
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=homeland,dc=net
ldap user suffix = ou=Users
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind separator = #
winbind use default domain = Yes
31/89
printer admin = "@Print Operators"

case sensitive = No
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
msdfs root = Yes
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
root preexec = /usr/bin/ntlogon -u '%u' -g '%g' -o %a -d /var/lib/samba/netlogon/
root postexec = rm -f '/var/lib/samba/netlogon/%u.bat'
[Profiles]
path = /var/lib/samba/profiles
valid users = %U, "Domain Admins"
force user = %U
read only = No
guest ok = Yes
profile acls = Yes
browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
use client driver = Yes
browseable = No
32/89
[print$]
path = /var/lib/samba/printers
valid users = "@Print Operators"
write list = "@Print Operators"
inherit permissions = Yes
guest ok = Yes
[pdf-gen]
comment = PDF Generator (only valid users)
path = /var/tmp
printable = Yes
printing = bsd
print command = /usr/share/samba/scripts/print-pdf "%s" "%H" "//%L/%u" "%m" "%I"
"%J" &
lpq command = /bin/true
lprm command = lprm -P'%p' %j
[tmp]
comment = Temporary file space
path = /tmp
read only = No
guest ok = Yes
(2) Smbpasswd –w password -> /etc/samba/secrets.tdb

Smbpasswd –w password -> /etc/samba/secrets.tdb
Setting stored password for “uid=root,ou=Users,dc=homelnad,dc=net” in secrets.tdb
(3) /etc/smbldap-tools/smbldap_bind.conf
############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
33/89
slaveDN="uid=root,ou=Users,dc=homeland,dc=net"
slavePw="password"
masterDN="uid=root,ou=Users,dc=homeland,dc=net"
masterPw=" password "
(4) /etc/smbldap-tools/smbldap.conf
使用 net getlocalsid 取得 sid
/etc/smbldap-tools/smbldap.conf
##############################################################################
#
# General Configuration
#
##############################################################################
# Put your own SID

# to obtain this number do: net getlocalsid
SID="S-1-5-21-957364582-1604034972-1376365676"
##############################################################################
#
# LDAP Configuration
#
##############################################################################
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations

# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
34/89
ldapTLS="1"
# How to verify the server's certificate (none, optional or require)

# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
cafile="/etc/ssl/cacert.pem"
# certificate to use to connect to the ldap server

clientcert="/etc/ssl/openldap/newcert.pem"
# key certificate to use to connect to the ldap server

clientkey="/etc/ssl/openldap/newreq.pem"
# LDAP Suffix
# Ex: suffix=dc=homeland,dc=net
suffix="dc=homeland,dc=net"
# Where are stored Users

# Ex: usersdn="ou=Users,dc=homeland,dc=net"
usersdn="ou=Users,${suffix}"
# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=homeland,dc=net"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups

# Ex groupsdn="ou=Groups,dc=homeland,dc=net"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=homeland,dc=net"
idmapdn="ou=Idmap,${suffix}"
35/89
# Where to store next uidNumber and gidNumber available

#sambaUnixIdPooldn="sambaDomainName=SMB3,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
# Default scope Used

scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID

defaultUserGid="513"
36/89
# Default Computer (Samba) GID

defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="120"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)

# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
#userSmbHome="\\PDC-SMB3\homes\%U"
userSmbHome="\\SAMBA3PDC\homes\%U"
# The UNC path to profiles locations (%U username substitution)

# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon path'
#userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\SAMBA3PDC\profiles\%U"
# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
#userHomeDrive="H:"
userHomeDrive="M:"
37/89
# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
#userScript="%U.cmd"
userScript="ntlogon.bat"
# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used
mailDomain="homeland.net"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

# prefer Crypt::SmbHash library
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
4.2.5 BIND 設定
(1) /etc/named.conf
// generated by named-bootconf.pl
38/89
// secret must be the same as in /etc/rndc.conf (下面這個部份與 rndc.conf 有關)

key "key" {
algorithm hmac-md5;
secret
"7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBfYJ0RahdkHtEQhN3LcF
0qLsLazIRQ/w==";
};
controls {
inet 127.0.0.1 port 953 allow { any; } keys { "key"; };
};
// Access lists (ACL's) should be defined here

include "/var/named/bogon_acl.conf";
options {
version "";
directory "/var/named";
pid-file "/var/run/named/named.pid"; // Put pid file in working dir
dump-file "/var/tmp/named_dump.db";
statistics-file "/var/tmp/named.stats";
zone-statistics yes;
coresize 100M;
auth-nxdomain yes;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
//
query-source address * port *;
listen-on port 53 { any; };

cleaning-interval 120;
39/89
transfers-in 20;
transfers-per-ns 2;
lame-ttl 0;
max-ncache-ttl 10800;
// Prevent DoS attacks by generating bogus zone transfer

// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place

// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more

// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to

// poll for interface state {UP|DOWN}.
interface-interval 0;
// Uncoment these to enable IPv6 connections support

// IPv4 will still work
// listen-on { none; };
// listen-on-v6 { any; };
// Deny anything from the bogon networks as

// detailed in the "bogon" ACL.
blackhole { bogon; };
40/89
};
// define logging channels

include "/var/named/logging.conf";
//
// a caching only nameserver config
//
zone "." {
type hint;
file "named.root";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.rev";
};
zone "homeland.net" {
type master;
file "homeland.net.hosts";
allow-update { key "key"; };
};
type master;
file "192.168.0.rev";
};
// workaround stupid stuff... (OE: Wed 17 Sep 2003)

zone "ac" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "com" { type delegation-only; };
zone "cx" { type delegation-only; };
zone "museum" { type delegation-only; };
zone "net" { type delegation-only; };
41/89
zone "nu" { type delegation-only; };

zone "ph" { type delegation-only; };
zone "sh" { type delegation-only; };
zone "tm" { type delegation-only; };
zone "ws" { type delegation-only; };
(2) /etc/rndc.conf
options {
default-server localhost;
default-key "key";
default-port 953;
};
server localhost {
key "key";
};
key "key" {
algorithm hmac-md5;
secret
0qLsLazIRQ/w==";
};
做法：
1. dnssec-keygen -a hmac-md5 -b 512 -n HOST localhost
2. 產生兩個檔案
Klocalhost.+157+26421.private
Klocalhost.+157+26421.key
3. 查看內容
甲、 [root@localhost rndc]# cat Klocalhost.+157+26421.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
42/89
Key:
7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBfYJ
0RahdkHtEQhN3LcF0qLsLazIRQ/w==
乙、 [root@localhost rndc]# cat Klocalhost.+157+26421.key
localhost. IN KEY 512 3 157
7X/kAIMk0Ne14Kgz99LMF/vbxiZJxcbxClZRqSjJyFRYbNeR/1MpHJBf
YJ0RahdkHtEQhN3LcF0qLsLazIRQ/w==
4. 將產生的 Klocalhost.+157+26421.key
cp Klocalhost.+157+26421.key /etc/rndc.key //取代 rndc.key 就完成了
(3) /var/named/
A./var/named/homeland.net.hosts
$TTL 1d
@ IN SOA mail.homeland.net. root.mail.homeland.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS mail.homeland.net.
IN MX 10 mail.homeland.net.
$ORIGIN homeland.net.
mail IN A 192.168.0.1
dns IN CNAME mail.homeland.net.
proxy IN CNAME mail.homeland.net.
rootca IN CNAME mail.homeland.net.
ldap IN CNAME mail.homeland.net.
www IN CNAME mail.homeland.net.
ftp IN CNAME mail.homeland.net.
workgroup IN CNAME mail.homeland.net.
43/89
B. /var/named/192.168.0.rev
$TTL 1d
@ IN SOA mail.homeland.net. root.mail.homeland.net. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS mail.homeland.net.
$ORIGIN 0.168.192.in-addr.arpa.
;servers
1 IN PTR mail.homeland.net.
1 IN PTR dns.homeland.net.
1 IN PTR proxy.homeland.net.
1 IN PTR ftp.homeland.net.
1 IN PTR ldap.homeland.net.
1 IN PTR www.homeland.net.
1 IN PTR rootca.homeland.net.
1 IN PTR workgroup.homeland.net.
//workgroup 指的是 samba 的 domain
C./var/named/localhost.rev
$TTL 1d
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
44/89
1 IN PTR localhost.
(4) /var/named/logging.conf
logging {
channel security_channel {
file "/var/log/named/security.log" versions 4 size 10m;
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
channel default_channel {
file "/var/log/named/default.log" versions 4 size 10m;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-in_channel {
file "/var/log/named/xfer-in.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel xfer-out_channel {
file "/var/log/named/xfer-out.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
45/89
channel update_channel {
file "/var/log/named/update.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel notify_channel {
file "/var/log/named/notify.log" versions 4 size 10m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category security { security_channel; };

category default { default_channel; };
category xfer-in { xfer-in_channel; };
category xfer-out { xfer-out_channel; };
category notify { notify_channel; };
category update { null; };
category lame-servers { null; };
category "delegation-only" { "null" ; };
};
(5) /var/named/bogon_acl.conf
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
46/89
// netblocks on your network, remove those netblocks from

// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
7.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
41.0.0.0/8;
42.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
58.0.0.0/8;
59.0.0.0/8;
60.0.0.0/8;
70.0.0.0/8;
71.0.0.0/8;
72.0.0.0/8;
73.0.0.0/8;
74.0.0.0/8;
75.0.0.0/8;
76.0.0.0/8;
77.0.0.0/8;
78.0.0.0/8;
79.0.0.0/8;
83.0.0.0/8;
84.0.0.0/8;
85.0.0.0/8;
86.0.0.0/8;
87.0.0.0/8;
88.0.0.0/8;
47/89
89.0.0.0/8;
90.0.0.0/8;
91.0.0.0/8;
92.0.0.0/8;
93.0.0.0/8;
94.0.0.0/8;
95.0.0.0/8;
96.0.0.0/8;
97.0.0.0/8;
98.0.0.0/8;
99.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
114.0.0.0/8;
115.0.0.0/8;
116.0.0.0/8;
117.0.0.0/8;
118.0.0.0/8;
119.0.0.0/8;
120.0.0.0/8;
121.0.0.0/8;
122.0.0.0/8;
123.0.0.0/8;
124.0.0.0/8;
125.0.0.0/8;
48/89
126.0.0.0/8;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.2.0/24;
// 192.168.0.0/16;
197.0.0.0/8;
201.0.0.0/8;
224.0.0.0/3;
};
(6) 使用 view 的概念
a.修改 /etc/named.conf（黃底紅字為修改的部份）
// generated by named-bootconf.pl
// secret must be the same as in /etc/rndc.conf

key "key" {
algorithm hmac-md5;
secret
0qLsLazIRQ/w==";
};
controls {
inet 127.0.0.1 port 953 allow { any; } keys { "key"; };
};
// Access lists (ACL's) should be defined here

include "/var/named/bogon_acl.conf";
options {
version "";
directory "/var/named";
pid-file "/var/run/named/named.pid"; // Put pid file in working dir
dump-file "/var/tmp/named_dump.db";
49/89
statistics-file "/var/tmp/named.stats";
zone-statistics yes;
coresize 100M;
auth-nxdomain yes;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
//
query-source address * port *;
listen-on port 53 {
192.168.0.1;
127.0.0.1;
};
cleaning-interval 120;
transfers-in 20;
transfers-per-ns 2;
lame-ttl 0;
max-ncache-ttl 10800;
// Prevent DoS attacks by generating bogus zone transfer

// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place

// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more

50/89
// reasonable. In this case, we state that any zone transfer

// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to

// poll for interface state {UP|DOWN}.
interface-interval 0;
// Uncoment these to enable IPv6 connections support

// IPv4 will still work
// listen-on { none; };
// listen-on-v6 { any; };
// Deny anything from the bogon networks as

// detailed in the "bogon" ACL.
blackhole { bogon; };
};
// define logging channels

include "/var/named/logging.conf";
//
// a caching only nameserver config
//
// for internal
view "internal" {
match-clients { 192.168.0.0/24; };
recursion yes;
zone "." {
type hint;
file "named.root";
};
51/89
type master;
};
zone "homeland.net" {
type master;
file "homeland.net.hosts";
};
type master;
file "192.168.0.rev";
};
};
// for external
view "external" {
match-clients { any ; };
recursion no;
zone "example.com" IN {
type master;
file "example.com.zone";
};
zone "100.168.172.in-addr.arpa" IN {
type master;
file "172.168.100..rev";
};
zone "." {
type hint;
52/89
file "named.root";
};
type master;
};
};
// workaround stupid stuff... (OE: Wed 17 Sep 2003)

zone "ac" { type delegation-only; };
zone "cc" { type delegation-only; };
zone "com" { type delegation-only; };
zone "cx" { type delegation-only; };
zone "museum" { type delegation-only; };
zone "net" { type delegation-only; };
zone "nu" { type delegation-only; };
zone "ph" { type delegation-only; };
zone "sh" { type delegation-only; };
zone "tm" { type delegation-only; };
zone "ws" { type delegation-only; };
b.要新增兩個檔案 example.com.zone、172.168.100..rev 與 homeland.net.hosts、192.168.0.rev 相

同只是裡面所指的 IP 不同。
c. example.com.zone
$TTL 1d
@ IN SOA www.example.com. a8832078.stmail.fju.edu.tw. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS www.example.com.
53/89
$ORIGIN example.com.
www IN A 172.168.100.1
d. 172.168.100..rev
$TTL 1d
@ IN SOA www.example.com. a8832078.stmail.fju.edu.tw. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS www.example.com.
$ORIGIN 100.168.172.in-addr.arpa.
;servers
1 IN PTR www.example.com.
4.2.6 後續處理
(i)建立 ntlogon.bat
建立 ntlogon.bat
使用 vi /var/lib/samba/netlogon/ntlogon.bat
請在 :set ff=dos 模式下編輯
net time \\SAMBA3PDC /set /yes
net use M: /home
確認是否為 dos 檔案
Od –c ntlogon.bat
\r \n 表 M$-DOS 格式的斷行，這是我們要的格式
\n 表 Unix 格式的斷行
54/89
Example:
0000000 n e t t i m e \ \ S A M B A
0000020 3 P D C / s e t / y e s \r \n
0000040 n e t u s e M : / h o m e
0000060 \r \n
0000062
(ii) 確保漫遊檔案可以成功
確保漫遊檔案可以成功
Smb.conf -> [Profiles]
Chown nobody.nogroup /var/lib/samba/profiles

Chmod 1777 /var/lib/samba/profiles
(iii) 執行 smbldap-populate -a root

執行 smbldap-populate -a root
Populating LDAP directory for domain WORKGROUP

(S-1-5-21-4205727931-4131263253-1851132061)
(using builtin directory structure)
adding new entry: dc=homeland,dc=net

adding new entry: ou=Users,dc=homeland,dc=net
adding new entry: ou=Groups,dc=homeland,dc=net
adding new entry: ou=Computers,dc=homeland,dc=net
adding new entry: uid=root,ou=Users,dc=homeland,dc=net
adding new entry: uid=nobody,ou=Users,dc=homeland,dc=net
adding new entry: cn=Domain Admins,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Domain Users,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Domain Guests,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Domain Computers,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Administrators,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Account Operators,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Print Operators,ou=Groups,dc=homeland,dc=net
adding new entry: cn=Backup Operators,ou=Groups,dc=homeland,dc=net
55/89
adding new entry: cn=Replicators,ou=Groups,dc=homeland,dc=net

adding new entry: sambaDomainName=WORKGROUP,dc=homeland,dc=net
(iv) 更新 SID
smbldap-passwd root
(v) 轉移帳號
cp /etc/passwd /etc/shadow /tmp/
移除 passwd 與 shadow 中不要的帳號
只留下 root nobody bin daemon messagebus
export user
perl -i -pe's@^$ENV{user}:(.*)\n@@' /tmp/passwd
perl -i -pe's@^$ENV{user}:(.*)\n@@' /tmp/shadow
cd /usr/share/doc/smbldap-tools-0.8.7/doc
./smbldap-migrate-unix-accounts -a -P /tmp/passwd -S /tmp/shadow
cp /etc/group /tmp/
移除 group 中不要的帳號
只留下 root bin daemon
export group
perl -i -pe's@^$ENV{group}:(.*)\n@@' /tmp/group
cd /usr/share/doc/smbldap-tools-0.8.7/doc
./smbldap-migrate-unix-groups -a -G /tmp/group
(vi) 特別注意事項
注意不要用
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false ‘%u’
來新增電腦主機，因為不會有紅色字的部份
請採用 lam 系統
dn:
sambaSID=S-1-5-21-957364582-1604034972-1376365676-101000,ou=Computers,dc=homeland,d
56/89
c=net
cn: winxp
uid: winxp$
uidNumber: 50000
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
gecos: Computers
description: Computers
objectClass: posixAccount,sambaSamAccount,account
sambaSID: S-1-5-21-957364582-1604034972-1376365676-101000
sambaAcctFlags: [W ]
displayName: winxp
sambaPrimaryGroupSID: S-1-5-21-957364582-1604034972-1376365676-515
sambaDomainName: WORKGROUP
userPassword:
sambaPwdCanChange: 1136896009
sambaPwdMustChange: 2147483647
sambaNTPassword: B3346744060AEFFEFB62AFDAAB8A3AE1
sambaPwdLastSet: 1136896009
(vii) 建立 lam 系統
a. 下載
cd /opt
wget
http://nchc.dl.sourceforge.net/sourceforge/lam/ldap-account-manager_0.5.3.tar.gz
b. 解壓縮
tar xvf ldap-account-manager_0.5.3.tar.gz
c. 將 ldap-account-manager_0.5.3/ 移到 httpd.conf -> default www

mv ldap-account-manager_0.5.3 /var/www/html/
cd /var/www/html
mv ldap-account-manager_0.5.3 lam
chown apache.apache –R lam
57/89
d. 修改設定 config.cfg_sample 、 lam.conf_sample

mv lam.conf_sample lam.conf
mv config.cfg_sample config.cfg
e. config.cfg 設定
# password to add/delete/rename configuration profiles
password: password
# default profile, without ".conf"
default: lam
f. lam.conf 設定（紅色為有改變的部創）
ServerURL: ldap://localhost:389
Passwd:
usersuffix: ou=Users,dc=homeland,dc=net
groupsuffix: ou=Groups,dc=homeland,dc=net
hostsuffix: ou=Computers,dc=homeland,dc=net
domainsuffix: dc=homeland,dc=net
userlistAttributes: #uid;#givenName;#sn;#uidNumber;#gidNumber
grouplistAttributes: #cn;#gidNumber;#memberUID;#description
hostlistAttributes: #cn;#description;#uidNumber;#gidNumber
maxlistentries: 30
defaultLanguage: en_GB.utf8:UTF-8:English (Great Britain)
scriptPath:
scriptServer:
cachetimeout: 5
usermodules: shadowAccount,inetOrgPerson,posixAccount,sambaSamAccount
groupmodules: posixGroup,sambaGroupMapping
hostmodules: account,sambaSamAccount,posixAccount
modules: posixAccount_minUID: 10000
modules: posixAccount_maxUID: 30000
modules: posixAccount_minMachine: 50000
modules: posixAccount_maxMachine: 60000
modules: posixGroup_minGID: 10000
modules: posixGroup_maxGID: 20000
modules: posixGroup_pwdHash: SSHA
modules: posixAccount_pwdHash: SSHA
treesuffix: dc=homeland,dc=net
58/89
登入可以 only for root

新增電腦採用 lam 系統
http://192.168.0.1/lam/
記得選擇 sambaSID 模式
(viii) 建立使用者
(ix) 加入網域
1. 下載 /usr/share/doc/samba-doc-3.0.13/docs/registry 中所的 registry 檔
2. 根據客戶端來新增
3. 例如：winxp 使用
WinXP_SignOrSeal.reg
59/89
4. 選擇->變更
5 .選擇->網域->WORKGROUP->加入網域
60/89
6.使用 root 登入
7.成功加入 workgroup domain
61/89
8.重開機
9.完成 sso 架構
(x) 使用登入
1.開機登入
2.使用者登入
62/89
3.自動掛載
(xi) 確認完成寫出
1.登出寫回資料
2.資料存放位置
63/89
(xii) 使用安全隧道連至 samba 伺服器
(1) 停用 windows 檔案與列印共用服務
64/89
(2) 使用 putty
65/89
(3) 內部設定
(4) 使用檔案總管（在網址鍵入\\samba3pdc 是 smb.conf 中的 netbios name = SAMBA3PDC）
66/89
(5) 登入 samba server
(6) 完成登入
(xiii) 建立 CA 的流程
1.首先建立 root CA，也就是最上層的 CA 憑證
[root@localhost misc]# ./CA.pl -newca

CA certificate filename (or enter to create)
Making CA certificate ...

.........++
...........................................................................................++
writing new private key to './demoCA/private/cakey.pem'
67/89
Enter PEM pass phrase:[密碼要打]

Verifying - Enter PEM pass phrase: [密碼要打]
-----
-----
Organizational Unit Name (eg, section) []:homeland CA Services
Common Name (eg, YOUR name) []:homeland_CA
Email Address []:fan@homeland.net
68/89
2.確定 CA 憑證及金鑰是否產生
./demoCA/crl 電子證書撤銷列表 (Certificate Revocation List)

./demoCA/newcerts 備份所有經這個 CA 簽署過的電子證書
./demoCA/private CA 的私有區，存放了不可以外洩的資料，例如私鑰
./demoCA/private/cakey.pem CA 的私鑰
./demoCA/index.txt
./demoCA/cacert.pem CA 的證書
./demoCA/serial
./demoCA/certs
3.產生需求憑證，如 Email 簽章加密或 https 等 ssl 傳輸加密。

[root@localhost misc]# openssl req -newkey rsa:4096 -nodes -keyout newreq.pem -out newreq.pem
.......................................................................................................++
...................................++
writing new private key to 'newreq.pem'
-----
-----
Organizational Unit Name (eg, section) []:homeland LDAP Services
Common Name (eg, YOUR name) []:ldap.homeland.net
Email Address []:fan@homeland.net
Please enter the following 'extra' attributes

to be sent with your certificate request
69/89
A challenge password []:不要打密碼

An optional company name []:不要打密碼
4.產生使用者之憑證 CSR
[root@localhost misc]# ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
a9:63:8f:f4:cc:dd:73:99
Validity
Not Before: Jan 20 07:02:05 2006 GMT
Not After : Jan 20 07:02:05 2007 GMT
Subject:
countryName = TW
stateOrProvinceName = Taiwan
localityName = Taipei
organizationName = homeland Ltd
organizationalUnitName = homeland LDAP Services
commonName = ldap.homeland.net
emailAddress = fan@homeland.net
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
23:56:38:E0:69:6C:DF:CD:1F:42:25:8D:DD:C0:5D:E4:DA:14:7B:9E
X509v3 Authority Key Identifier:
keyid:21:A0:DF:D1:EB:EA:3E:FE:F8:32:51:74:35:D2:E8:CF:B2:51:0F:9C
DirName:/C=TW/ST=Taiwan/L=Taipei/O=homeland Ltd/OU=homeland CA
Services/CN=homeland_CA/emailAddress=fan@homeland.net
serial:A9:63:8F:F4:CC:DD:73:98
Certificate is to be certified until Jan 20 07:02:05 2007 GMT (365 days)

70/89
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
5. 管理
5.1 samba 管理
a.更新 samba 與 smbldap-tools 至最新套件

下載 samba-3.0.20-3mdk.src.rpm、smbldap-tools-0.9.2-1mdk.src.rpm
Rpm --rebuild samba-3.0.20-3mdk.src.rpm

Rpm --rebuild samba-3.0.20-3mdk.src.rpm
完成會放在 /usr/src/RPM/RPMS/i586
產生套件如下
libsmbclient0-3.0.20-2.1.102mdk.i586.rpm
libsmbclient0-devel-3.0.20-2.1.102mdk.i586.rpm
libsmbclient0-static-devel-3.0.20-2.1.102mdk.i586.rpm
mount-cifs-3.0.20-2.1.102mdk.i586.rpm
nss_wins-3.0.20-2.1.102mdk.i586.rpm
samba-client-3.0.20-2.1.102mdk.i586.rpm
samba-common-3.0.20-2.1.102mdk.i586.rpm
samba-doc-3.0.20-2.1.102mdk.i586.rpm
samba-passdb-mysql-3.0.20-2.1.102mdk.i586.rpm
samba-passdb-pgsql-3.0.20-2.1.102mdk.i586.rpm
samba-passdb-xml-3.0.20-2.1.102mdk.i586.rpm
samba-server-3.0.20-2.1.102mdk.i586.rpm
samba-smbldap-tools-3.0.20-2.1.102mdk.i586.rpm
samba-swat-3.0.20-2.1.102mdk.i586.rpm
samba-vscan-clamav-3.0.20-2.1.102mdk.i586.rpm
71/89
samba-vscan-icap-3.0.20-2.1.102mdk.i586.rpm
samba-winbind-3.0.20-2.1.102mdk.i586.rpm
smbldap-tools-0.9.2-0.1.102mdk.i586.rpm
b. cd /usr/src/RPM/RPMS/i586
使用 urpmi 安裝或用 rpm –Uvh 安裝
c.修改 /etc/smbldap-tools/smbldap.conf
請用新的 smbldap.conf.rpmsave 來修改，將 smbldap.conf 的內容相同的複製至
smbldap.conf.rpmsave。完成後將 smbldap.conf.rpmsave 取代 smbldap.conf
修改內容如下(黃底紅字為修改的部份)
# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-1628091772-245403179-1700601366"
# Domain name the Samba server is in charged.

# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="WORKGROUP"
# Slave LDAP server

# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
slaveLDAP="127.0.0.1"
# Slave LDAP port

# If not defined, parameter is set to "389"
slavePort="389"
# Master LDAP server: needed for write operations

# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="127.0.0.1"
# Master LDAP port

72/89
masterPort="389"
# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0" (十分重要，一定要改成 0 才能使用 smbldap-tools)
# How to verify the server's certificate (none, optional or require)

verify="require"
# CA certificate

cafile="/etc/ssl/cacert.pem"
# certificate to use to connect to the ldap server

clientcert="/etc/ssl/openldap/newcert.pem"
# key certificate to use to connect to the ldap server

clientkey="/etc/ssl/openldap/newreq.pem"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=homeland,dc=net"
# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
#usersdn="ou=People,${suffix}"
usersdn="ou=Users,${suffix}"
# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
73/89
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
#computersdn="ou=Hosts,${suffix}"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups

# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
#groupsdn="ou=Group,${suffix}"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=WORKGROUP,${suffix}"
# Default scope Used

scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)

hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
74/89
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
# Default mode used for user homeDirectory

userHomeDirectoryMode="700"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID

defaultUserGid="513"
# Default Computer (Samba) GID

defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="120"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
75/89
# The UNC path to home drives location (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon home'
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\SAMBA3PDC\homes\%U"
# The UNC path to profiles locations (%U username substitution)

# Just set it to a null string if you want to use the smb.conf 'logon path'
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\SAMBA3PDC\profiles\%U"
# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="M:"
# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="ntlogon.bat"
# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="mail.homeland.net"
##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

76/89
# prefer Crypt::SmbHash library

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)

# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
# comment out the following line to get rid of the default banner
# no_banner="1"
d.smbldap-populate 更新所有內容
e.下載 srvtools.exe
解開使用
77/89
使用 usrmgr.exe
78/89
新增使用者(只要帳號與密碼就可以了，其他會自動處理)
使用新增帳號登入(第一次登入要修改密碼)
79/89
改好密碼
登入成功
80/89
使用 srvmgr.exe
新增電腦主機 Computer/Add to Domain
81/89
f. 使用命令列來新增電腦
smbldap-useradd -i 電腦名稱
會詢問密碼，要鍵入才可以。
g. 要使 TLS 能運作，系統才能順利來執行。
只要修改 /etc/openldap/ldap.conf 如下就可以運作
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#
# See ldap.conf(5) for details

# This file should be world readable but not world writable.
#BASE dc=example, dc=com

#HOST ldap.example.com ldap-master.example.com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://127.0.0.1
BASE dc=homeland,dc=net
HOST 127.0.0.1
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# SSL/TSL configuration. With CA-signed certs, TLS_REQCERT should be

# "demand", with the CA certificate accessible
#TLS_CACERT /etc/ssl/cacert.pem
#TLS_CACERTDIR /etc/ssl/openldap
#TLS_REQCERT ([demand],never,allow,try)
TLS_CACERT /etc/ssl/cacert.pem
# TLS_CERT /etc/ssl/openldap/newcert.pem
# TLS_KEY /etc/ssl/openldap/newreq.pem
TLS_REQCERT allow
82/89
h. 要修改 /usr/share/msec/perm.4
加入下面才能確保漫遊成功。
/var/lib/samba/profiles/ nobody.nogroup 1777
i.修改 /etc/resolv.conf 內容為

[root@mail etc]# more resolv.conf
search homeland.net
nameserver 192.168.1.254
j.修改 /etc/hosts 內容為

192.168.1.1 mail.homeland.net dns.homeland.net proxy.homeland.net
rootca.homeland.net ldap.homeland.net www.homeland.net ftp.homeland.net
127.0.0.1 localhost.localdomain localhost
5.2 samba 防毒
1.首先安裝 clamav 與 samba-vscan-clamav 套件

可以使用 urpmi 或 smart
2.啟動防毒
service freshclam start (使防毒系統能自動更新)
service clamd start(使防毒系統啟動)
3.修改設定
a.vi /etc/freshclam.conf(防毒系統自動更新設定檔)
不用修改，採用 mandriva 預設即可
b.vi /etc/clamd.conf(防毒系統設定檔)
不用修改，採用 mandriva 預設即可
83/89
c.vi /etc/samba/vscan-clamav.conf(防毒對於 samba 的設定檔)

紅色部份為修改
[samba-vscan]
; run-time configuration for vscan-samba using
; clamd
; all options are set to default values
; do not scan files larger than X bytes. If set to 0 (default),

; this feature is disable (i.e. all files are scanned)
max file size = 0
; log all file access (yes/no). If set to yes, every access will
; be logged. If set to no (default), only access to infected files
; will be logged
verbose file logging = yes (為了測試是否運作，知道可以運作請停用。因為 log 量很大)
; if set to yes (default), a file will be scanned while opening

scan on open = yes
; if set to yes, a file will be scanned while closing (default is yes)
scan on close = yes
; if communication to clamd fails, should access to file denied?

; (default: yes)
deny access on error = yes
; if daemon files with a minor error (corruption, etc.),

; should access to file denied?
; (default: yes)
deny access on minor error = yes
; send a warning message via Windows Messenger service

; when virus is found?
; (default: yes)
send warning message = yes
; what to do with an infected file

84/89
; quarantine: try to move to quantine directory; delete it if moving fails

; delete: delete infected file
; nothing: do nothing (default)
infected file action = quarantine
; where to put infected files - you really want to change this!

quarantine directory = /tmp
; prefix for files in quarantine
quarantine prefix = vir-
; as Windows tries to open a file multiple time in a (very) short time

; of period, samba-vscan use a last recently used file mechanism to avoid
; multiple scans of a file. This setting specified the maximum number of
; elements of the last recently used file list. (default: 100)
max lru files entries = 100
; an entry is invalidad after lru file entry lifetime (in seconds).

; (Default: 5)
lru file entry lifetime = 5
; exclude files from being scanned based on the MIME-type! Semi-colon

; seperated list (default: empty list). Use this with care!
exclude file types =
; socket name of clamd (default: /var/run/clamd). Setting will be ignored if

; libclamav is used
clamd socket name = /var/lib/clamav/clamd.socket
; limits, if vscan-clamav was build for using the clamav library (libclamav)
; instead of clamd
; maximum number of files in archive (default: 1000)

libclamav max files in archive = 1000
; maximum archived file sitze, in bytes (default: 10 MB)

libclamav max archived file size = 10 * 1048576
85/89
; maximum recursion level (default: 5)

libclamav max recursion level = 5
d.套用在要掃毒的區域
在 smb.conf 中
[share folder] <-想要掃毒的目錄中加入下面二行
vfs objects = vscan-clamav recycle
vscan-clamav: config-file = /etc/samba/vscan-clamav.conf
英文解擇
# You can enable VFS recycle bin and on-access virus-scanning on a per
# share basis:
# Uncomment the next 2 lines (make sure you create a .recycle folder in
# the base of the share and ensure all users will have write access to it.
# For virus scanning, install samba-vscan-clamav and ensure the clamd service
# is running
e.重新啟動 smb
service smb restart
f.查看 samba-vscan-clamav 是否運作

tail /var/log/message
Jan 21 11:07:49 mail smbd_vscan-clamav[15992]: samba-vscan (vscan-clamav 0.3.6b) registered

(Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Jan 21 11:07:49 mail smbd_vscan-clamav[15992]: samba-vscan (vscan-clamav 0.3.6b) connected
(Samba 3.0), (c) by Rainer Link, OpenAntiVirus.org
Jan 21 11:07:49 mail smbd_vscan-clamav[15992]: INFO: connect to service root by user root
當使用者一登入就開始啟動防毒機制。
86/89
5.3 Mandriva 昇級
從舊版本的 mandrake 昇級至新版的注意事項

1. kernel 為主要的指標
甲、昇級目標版本的 kernel 是否與舊版的相符
乙、相符，可以直接昇級
丙、不相符，必須先昇級 kernel
2. Mandrake 9.2 -> Mandriva 10.1
甲、由於 Mandrake 9.2 預設 kernel 為 2.4 版，所以必須先昇級 kernel 至 2.6 版。才能避免
昇級後有一些功能無法使用。
乙、若是昇級至 Mandriva 2006 就不會有如此況狀，因為昇級時會一併將 kernel 昇級至
2.6 版。
87/89
6. 改進與建議心得
規劃上待增加與修正的部份
1. DFS 共用目錄支援(預留)
2. VPN 與 SmartCard 整合式登入
3. lam 系統安全增強
4. squid 記錄使用者使用流量
5. 整合 DHCP 做到 IP 控管
預留發展
1. 建立 BDC
2. 設定檔/etc/openldap/slapd.conf
加入
updatedn “uid=root,ou=Users,dc=homeland,dc=net”
updateref ldap://192.168.0.1
3. 製作 replica 目錄和空的記錄檔 replica.log
mkdir /var/lib/ldap/replica
touch /var/lib/ldap/replica/relica.log
chown –R ldap.ldap /vaar/lib/ldap
4. 修正/etc/smbldap-tools/smbldap_bind.conf
$masterLDAP=”192.168.0.1”;
5. 令 PDC 與 BDC 的網域 SID 同步
net rpc getsid
6. 刪除 BDC 上的 TDB 資料庫
net setlocalsid S-1-5-21-1231241354325465435-34123125123141412
7. 重新儲存與存取 LDAP 資料庫用的管理員
smbpasswd –w passwd
8. 確認 BDC 的網域 SID 是否與 PDC 一致
net getlocalsid
9. 啟動 BDC 的 Samba
88/89
service smb start
心得
1. 根據需求來建立環境
2. 要以規劃為主，實作為輔。
（根據人月神話：開發系統的時間大多是規劃所佔
的時間為最多）
3. 步驟邏輯要清楚才能避免系統出現安全上的漏洞。
89/89

(Microsoft Word

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Microsoft Word

Uploaded by

Copyright:

Available Formats

范明忠 fjufirefox@gmail.

com fan,bill Mandriva Coldfusion

3.2 實際作業 .......................................................................................................... 4

3.3 認證方式 ......................................................................................................... 8

4.2 環境建立流程 ................................................................................................. 8

4.2.1 LDAP 設定............................................................................................. 9

(1) 建立 rootCA ................................................................................... 15

(2) 建立 openldap 憑証申請書 ............................................................. 17

(3) rootCA 簽章 openldap 憑証 ............................................................. 18

(4) copy 產生的憑証到/etc/ssl/.............................................................. 19

(3) 修改/etc/pam.d/squid ....................................................................... 23

4.2.4 SAMBA 設定 ....................................................................................... 24

4.2.6 後續處理 ............................................................................................. 49

(i)建立 ntlogon.bat ................................................................................. 54

(ii) 確保漫遊檔案可以成功 ................................................................. 55

(iii) 執行 smbldap-populate -a root ....................................................... 55

(iv) 更新 SID ...................................................................................... 56

(vii) 建立 lam 系統 ............................................................................... 57

(viii) 建立使用者 .................................................................................. 59

(xii) 使用安全隧道連至 samba 伺服器 ............錯誤

5.2 samba 防毒 ..................................................................................................... 83

而在導入 samba 之後 samba 可以作為 NT 網域的 PDC，並使用 LDAP 目錄服務作 NT 網域的

Samba 與 Windows 合作模式一般分為三類

(2) 第二類：Domain Level

(3) 第三類：ADS Level

功能 WinNT Win2k/ADS Linux/OpenLDAP

透過 SSL/TLS 由 LDAP 安全存取 X X Windows 客戶端與 Samba 伺

整合 Kerberos 的可能性 X（註 3） X 以 Windows 95/98/Me/NT 為

4.1 Samba 與 Windows 整合方針

(1) 網路瀏覽與 NetBIOS 功能需求

(2) Samba 安全等級與密碼加密需求

(3) 整合 Windows ACL 與 DFS 需求

(4) 列印支援 Auto Driver Installation 需求

(5) NT Domain 與 Windows 200x Domain 需求

# Provide write access to replicators, and cover access to any other

# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem

# The database directory MUST exist prior to running slapd AND

# Basic ACL (deprecated in favour of ACLs in etc/openldap/slapd.access.conf)

# Replica configuration (if this server is a slave)

# Replication configuration (if this server is a master)

# The root DIT should be accessible to all clients

# So should the schema

# ACL allowing samba domain controllers to add user accounts

# allow users to modify their own "address book" entries:

# Allow samba domain controllers to create groups and group mappings

# Allow samba domain controllers to create machine accounts

# Allow samba to create idmap entries

# Your LDAP server. Must be resolvable without using LDAP.

# The distinguished name of the search base.

# Another way to specify your LDAP server is to provide an

# The LDAP version to use (defaults to 3

# The search scope.

# Filter to AND with uid=%s

# The user ID attribute (defaults to uid)

# Group member attribute

# Use the OpenLDAP password change

# OpenLDAP SSL mechanism

# OpenLDAP SSL options

# CA certificates for server certificate verification

# Client sertificate and key

Making CA certificate ...

(2) 建立 openldap 憑証申請書

再來產生給 openldap 等 server 要用的憑証申請書(certificate signing request)